junie
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
junieCLI to perform code reviews and task implementation. It follows safe practices for handling shell input, such as using temporary files created withmktempand quoted heredocs to prevent unintended shell expansion. - [DATA_EXFILTRATION]: By design, the skill gathers local repository data (file contents and git diffs) and transmits it to the Junie CLI. This is the intended behavior for delegating work to an external agent.
- [PROMPT_INJECTION]: The skill provides an interface that is susceptible to indirect prompt injection because it reads untrusted repository data and includes it in prompts for another LLM.
- Ingestion points:
references/shared-procedure.md(Step 4 reads plan documents, code files, and git diffs). - Boundary markers: Prompt construction in
references/shared-procedure.md(Step 5) lacks explicit markers or instructions to isolate the ingested context from the agent's instructions. - Capability inventory: Shell execution of the
junieCLI and file system manipulation viamktemp/rmare utilized inreferences/shared-procedure.md(Step 6). - Sanitization: No sanitization of the gathered context is performed before it is sent to the target CLI.
Audit Metadata